fix: update mainModuleVersion function to always prefix v to findings (#3087)

* chore: basic fix Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> * test: make sure ldflags are prefixed with v --------- Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2025-11-17 16:33:21 +01:00 · 2024-08-01 11:29:07 -04:00 · 2024-08-01 11:29:07 -04:00 · c84cb2cf84
commit c84cb2cf84
parent 05a10e8bed
3 changed files with 24 additions and 14 deletions
--- a/syft/pkg/cataloger/golang/cataloger_test.go
+++ b/syft/pkg/cataloger/golang/cataloger_test.go
@ -20,7 +20,7 @@ func Test_PackageCataloger_Binary(t *testing.T) {
 			name:    "simple module with dependencies",
 			fixture: "image-small",
 			expectedPkgs: []string{
-				"anchore.io/not/real @ (devel) (/run-me)",
+				"anchore.io/not/real @ v1.0.0 (/run-me)",
 				"github.com/andybalholm/brotli @ v1.0.1 (/run-me)",
 				"github.com/dsnet/compress @ v0.0.2-0.20210315054119-f66993602bf5 (/run-me)",
 				"github.com/golang/snappy @ v0.0.2 (/run-me)",
@ -34,17 +34,17 @@ func Test_PackageCataloger_Binary(t *testing.T) {
 				"stdlib @ go1.22.4 (/run-me)",
 			},
 			expectedRels: []string{
-				"github.com/andybalholm/brotli @ v1.0.1 (/run-me) [dependency-of] anchore.io/not/real @ (devel) (/run-me)",
-				"github.com/dsnet/compress @ v0.0.2-0.20210315054119-f66993602bf5 (/run-me) [dependency-of] anchore.io/not/real @ (devel) (/run-me)",
-				"github.com/golang/snappy @ v0.0.2 (/run-me) [dependency-of] anchore.io/not/real @ (devel) (/run-me)",
-				"github.com/klauspost/compress @ v1.11.4 (/run-me) [dependency-of] anchore.io/not/real @ (devel) (/run-me)",
-				"github.com/klauspost/pgzip @ v1.2.5 (/run-me) [dependency-of] anchore.io/not/real @ (devel) (/run-me)",
-				"github.com/mholt/archiver/v3 @ v3.5.1 (/run-me) [dependency-of] anchore.io/not/real @ (devel) (/run-me)",
-				"github.com/nwaples/rardecode @ v1.1.0 (/run-me) [dependency-of] anchore.io/not/real @ (devel) (/run-me)",
-				"github.com/pierrec/lz4/v4 @ v4.1.2 (/run-me) [dependency-of] anchore.io/not/real @ (devel) (/run-me)",
-				"github.com/ulikunitz/xz @ v0.5.9 (/run-me) [dependency-of] anchore.io/not/real @ (devel) (/run-me)",
-				"github.com/xi2/xz @ v0.0.0-20171230120015-48954b6210f8 (/run-me) [dependency-of] anchore.io/not/real @ (devel) (/run-me)",
-				"stdlib @ go1.22.4 (/run-me) [dependency-of] anchore.io/not/real @ (devel) (/run-me)",
+				"github.com/andybalholm/brotli @ v1.0.1 (/run-me) [dependency-of] anchore.io/not/real @ v1.0.0 (/run-me)",
+				"github.com/dsnet/compress @ v0.0.2-0.20210315054119-f66993602bf5 (/run-me) [dependency-of] anchore.io/not/real @ v1.0.0 (/run-me)",
+				"github.com/golang/snappy @ v0.0.2 (/run-me) [dependency-of] anchore.io/not/real @ v1.0.0 (/run-me)",
+				"github.com/klauspost/compress @ v1.11.4 (/run-me) [dependency-of] anchore.io/not/real @ v1.0.0 (/run-me)",
+				"github.com/klauspost/pgzip @ v1.2.5 (/run-me) [dependency-of] anchore.io/not/real @ v1.0.0 (/run-me)",
+				"github.com/mholt/archiver/v3 @ v3.5.1 (/run-me) [dependency-of] anchore.io/not/real @ v1.0.0 (/run-me)",
+				"github.com/nwaples/rardecode @ v1.1.0 (/run-me) [dependency-of] anchore.io/not/real @ v1.0.0 (/run-me)",
+				"github.com/pierrec/lz4/v4 @ v4.1.2 (/run-me) [dependency-of] anchore.io/not/real @ v1.0.0 (/run-me)",
+				"github.com/ulikunitz/xz @ v0.5.9 (/run-me) [dependency-of] anchore.io/not/real @ v1.0.0 (/run-me)",
+				"github.com/xi2/xz @ v0.0.0-20171230120015-48954b6210f8 (/run-me) [dependency-of] anchore.io/not/real @ v1.0.0 (/run-me)",
+				"stdlib @ go1.22.4 (/run-me) [dependency-of] anchore.io/not/real @ v1.0.0 (/run-me)",
 			},
 		},
 		{
--- a/syft/pkg/cataloger/golang/parse_go_binary.go
+++ b/syft/pkg/cataloger/golang/parse_go_binary.go
@ -180,6 +180,10 @@ func (c *goBinaryCataloger) makeGoMainPackage(resolver file.Resolver, mod *exten
 	version := c.findMainModuleVersion(metadata, gbs, reader)

 	if version != "" {
+		// make sure version is prefixed with v as some build systems parsed
+		// during `findMainModuleVersion` can include incomplete semver
+		// vx.x.x is correct
+		version = ensurePrefix(version, "v")
 		main.Version = version
 		main.PURL = packageURL(main.Name, main.Version)

@ -398,3 +402,10 @@ func createMainModuleFromPath(existing *extendedBuildInfo) debug.Module {
 		Version: devel,
 	}
 }
+
+func ensurePrefix(s, prefix string) string {
+	if !strings.HasPrefix(s, prefix) {
+		return prefix + s
+	}
+	return s
+}
--- a/syft/pkg/cataloger/golang/test-fixtures/image-small/Dockerfile
+++ b/syft/pkg/cataloger/golang/test-fixtures/image-small/Dockerfile
@ -7,8 +7,7 @@ COPY go.mod go.sum ./
 RUN go mod download
 COPY main.go main.go

-RUN CGO_ENABLED=0 GOOS=linux go build -o run-me .
-
+RUN CGO_ENABLED=0 GOOS=linux go build -ldflags "-X main.Version=1.0.0" -o run-me .

 FROM scratch